NoSQL database systems are designed to provide real-time performance while managing large
volumes of data. This performance, coupled with the no-cost philosophy behind many NoSQL
products, has led many companies to take a look at NoSQL.

It is quite likely that new attack vectors will emerge that
will target NoSQL data stores in new ways.

Who uses NoSQL?NoSQL can be an important tool for any company, large or small, that has big data. Big
data is simply any data set that has grown too big to be efficiently worked on in real-time with
traditional database tools.

NoSQL is
a broad class of database management systems that are not traditional relational database
management systems. They do not use SQL as the primary query language, nor do they typically
require fixed table schemas. Also, NoSQL is not a single-vendor product (many NoSQL implementations
are open source), but rather an umbrella term that can be applied to any of the non-RDBMS big data
alternative systems.

Currently, NoSQL databases are in the evolutionary stage of their lifecycle and, unlike their
RDBMS counterparts, such as DB2, MySQL, Oracle and SQL Server, the attack vectors for NoSQL
databases aren’t well mapped out. And it’s likely new attack vectors will emerge that will target
NoSQL data stores in new ways.

More specifically, data breaches caused by a NoSQL injection are probably not far away. With
some NoSQL implementations being, essentially, authentication-free JavaScript processing engines,
this is inevitable. Indeed, the basics of just such a vulnerability were exposed at Black Hat USA
last year when Bryan Sullivan demonstrated a server-side JavaScript injection attack against one
NoSQL implementation that could discover database contents and run basic commands.

Is NoSQL secure?The truth is that NoSQL has not been designed with security as a priority, so developers or
security teams must add a security layer to their organisations' NoSQL
applications.

During the last couple years, many small businesses have been moving into big data territory,
struggling to manage ever-increasing volumes of business data. So it should come as no surprise to
learn that threat-tracking firms have reported increased security researcher and hacker activity
targeting the NoSQL database sector. Some of this is driven by confusion amongst small businesses
about how NoSQL databases can be securely implemented. Too often, these companies ignore NoSQL
security measures -- measures that would have been implemented by default with traditional
RDBMS installations.

About Kerberos and NTLM

Kerberos is a method for
authenticating a request for a service in a network.

For example, many NoSQL products allow and even recommend the use of a “trusted environment”
with no additional security or authentication measures in place. These modes assume that only
trusted machines can access the database's TCP ports. But relying on the network to protect data in
an Internet-enabled world is a sure-fire way of inviting a breach of any sensitive information held
there.

Fortunately, as the NoSQL market matures, security will mature with it. Kerberos authentication modules
are now becoming available, which should provide access control capabilities equivalent to the
current Kerberos or NTLM (Microsoft Windows NT LAN Manager) approaches to user authentication.

Securing NoSQL databasesBecause most of the popular NoSQL databases are open source, IT staff would be wise to devote
some time to contributing stronger authentication and encryption systems to their NoSQL
implementations, rather than waiting for the publisher of a proprietary database to make
changes.

NoSQL data stores are basically vulnerable to the same security risks as traditional RDBMS data
stores, so the usual best practises for storing sensitive data should be applied when developing a
NoSQL-based application. These include:

Of course, it would be ideal if there were an accepted standard for authentication,
authorisation and encryption in the yet-to-mature NoSQL space. Until such a standardised consensus
can be reached, the best approach is to look at security in the middleware layer, rather than on
the cluster level, as most middleware software comes with ready-made support for authentication,
authorisation and access control. For example, if Java is being used, then the JAAS, Oracle Corp.
J2EE or SpringSource (a division of VMware) Spring Security frameworks are available for the
authentication, authorisation and access control for noSQL database implementations.

In closing, the most important tip to take from this brief exploration of NoSQL security is
this: Beware of jumping on the NoSQL bandwagon until you have made sure the wheels won't fall off.
Recognize that NoSQL databases are inherently insecure. If you decide to proceed, apply your own
encryption and authentication controls to safeguard the big data in your NoSQL databases.

About the author:Davey Winder is a UK-based freelance writer and former 'Technology Journalist of the Year'
who has spent the best part of two decades writing about IT security issues. A three time winner of
the 'Information Security Journalist of the Year' title, in 2011 Davey was honoured to receive the
Enigma Award from BT in recognition of his lifetime contribution to information security
journalism.

It can be tempting to stray from the security roadmap security professionals have put in place when data breaches like the Sony and Anthem breaches are all over the news. But experts say it's crucial to stick to the security basics.

The Open Data Platform has arrived, but not all Hadoop vendors are on board. The initiative, aimed at boosting interoperability, formed a backdrop for discussion at the Strata + Hadoop World 2015 conference.